Saturday, May 19, 2018

The nation relies on teachers to educate
our children and help them when they make mistakes. But when it
comes to protecting students’ data, it is often the teachers and
school staff who mistakenly let bad actors in to school computer
systems, officials say.

In a hearing
Thursday before the House Committee on Education and the Workforce, a
panel of educators, privacy experts and U.S. Department of Education
officials pointed to accidental
online errors by school staff as the main threat to protecting
school data.

In the state of Kentucky, which
experienced more than 4 billion attempted attacks on the computer
systems of K-12 services last year, the
greatest number of data breaches were the result of staff who fell
for email phishing scams, according to David Couch, CIO
for the Kentucky Education Technology System (KETS) at the Kentucky
Department of Education.

“By far the greatest vulnerability to
our systems is internal staff who fall victim to phishing attempts,”
Couch said during the hearing.

Leave it to kids in one of Michigan’s
best school districts to have figured out how to hack the district’s
grading system and (presumably) give themselves A’s.

A message
posted to the Bloomfield Hills Schools website alerts parents that “a
couple” students made “some poor choices lately,” hacking into
the district’s student information system and manipulating their
personal grades, attendance, and lunch balance information. The data
base houses all of the district’s student and family data, the
notice says.

The students are in high school and
modified the information of their own accounts and others high
schoolers, Bloomfield Hills Schools Superintendent Robert Glass says
in a video message elsewhere on the website. A total of 20 students
saw changes made in the form of improved grades, improved attendance,
and reduced lunch balances.

A
dataset allegedly containing 200 million unique sets of personally
identifiable information (PII) exfiltrated from several popular
Japanese website databases emerged on underground forums, FireEye
reports.

Advertised
by a Chinese threat actor at around $150, the dataset contained
names, credentials, email addresses, dates of birth, phone numbers,
and home addresses, and was initially spotted in December 2017.

The
data appears sourced from a variety of Japanese websites, including
those in the retail, food and beverage, financial, entertainment, and
transportation sectors, and FireEye believes that the cybercriminals
obtained it via opportunistic compromises.

The Georgia Court of Appeals recently
reaffirmed its prior conclusion that there
is no duty to safeguard personal information under Georgia law.
In McConnell v. Ga. Dep’t of Labor, — S.E.2d —-, 2018
WL 2173252 (Ga. App. May 11, 2018), the Court of Appeals addressed
whether a plaintiff whose social security number and other personal
identifying information (“PII”) had allegedly been negligently
disclosed by an employee of the Georgia Department of Labor stated a
negligence claim in connection with the unauthorized disclosure.

In urging that the Court of Appeals
should recognize such a duty, the plaintiff in McConnellrelied
on the Georgia Personal Identity Protection Act (the “GPIPA”).
The plaintiff argued that the GPIPA supported recognizing a duty to
safeguard PII because the statute reflects the General Assembly’s
“intent to protect citizens from the adverse effects of disclosure
of personal information and created a general duty to preserve and
protect personal information.” McConnell, 2018 WL
2173252.

Two alleged owners of Mugshots.com—Sahar
Sarid and Thomas
Keesee—have been arrested
in south
Florida on a recently issued California warrant. The notorious
website publishes mugshots and then demands payment for their
removal.

… "This pay-for-removal scheme attempts
to profit off of someone else's humiliation," said Attorney
General Becerra in a statement.
"Those who can't afford to pay into this scheme to have their
information removed pay the price when they look for a job, housing,
or try to build relationships with others. This is exploitation,
plain and simple."

… The 29-page
affidavit provides a lengthy explanation of what prosecutors call
a "business permeated with fraud."

I sometimes think people don’t realize the
amount of time and passion Joe Cadillic dedicates to informing you
all of surveillance issues and online threats to our privacy. We’ll
get back to that later in this post, but for now:

This week, one of the links he sent me to share
with you all is a treasure.

Michael Bazzell writes:

Posted on May 15th, 2018

I received an email today from a reader
of the latest edition of my privacy book Hiding
from the Internet. In the book, I include an entire
chapter of opt-out links for removing personal information from
people-search, data-mining, marketing, and data broker websites. The
reader asked if I maintained a digital version of the workbook with
active hyperlinks for easy navigation. While I try to maintain a
page for
hyperlinks from the book, it did not quite replicate the workbook
model that is in the official publication. Today, I am releasing the
entire workbook in PDF format for free. I hope it helps the process
of cleaning up unwanted online details. The direct link is below.

EPIC has filed a “friend
of the court” brief, joined by forty-four technical experts and
legal scholars (members of the EPIC
Advisory Board), in the OPM
Data Breachcase. The case concerns the data breach at the US
Office of Personnel and Management in 2015 that affected 22 million
federal employees, their friends, and family members. In the brief
to the federal appeals court, EPIC said that “when personal data is
collected by a government agency, that agency has a constitutional
obligation to protect the personal data it has obtained.” In a
2011 case NASA
v. Nelson, EPIC urgedthe
Supreme Court to limit data collection by federal agencies, citing
the growing risk of data breach in the federal government.

Adding ‘touch’ to Tech. Hand holding for
people not comfortable with e-commerce?

A new Walmart
subsidiary, called Code Eight, has recently started testing a
personal shopping service for “busy NYC moms,” according to
multiple sources, with the goal of letting them get product
recommendations and make purchases simply through text messaging.

The target customer
of Code Eight is described in an online job listing as a “high net
worth urban consumer” — translation: A rich city dweller —
certainly not the historical sweet spot for Walmart’s main
business.

Household items are
delivered for free within 24 hours; other purchases are delivered
within two business days. Returns are picked up for free at a
customer’s apartment building or house.

North
Korea-tied hackers used Google Play and Facebook to infect defectors

Researchers said a team of hackers tied to North
Korea recently managed to get the Google
Play market to host at least three Android apps designed to
surreptitiously steal personal information from defectors of the
isolated nation.

The three apps first appeared in the official
Android marketplace in January and weren’t removed until March when
Google was privately notified. That’s according to a blog
post published Thursday by researchers from security company
McAfee. Two apps masqueraded as security apps, and a third purported
to provide information about food ingredients. Hidden functions
caused them to steal device information and allow them to receive
additional executable code that stole personal photos, contact lists,
and text messages.

The apps were spread to selected individuals, in
many cases by contacting
them over Facebook. The apps had about 100 downloads when
Google removed them. Nation-operated espionage campaigns frequently
infect a small number
of carefully selected targets and keep the number small in
an attempt to remain undetected. Thursday’s report is
the latest to document malicious apps
that bypassed Google filters designed to keep bad wares
out of the Play market.

… In January, McAfee reported finding
malicious apps targeting North Korean journalists and defectors.
Some of the Korean words found in the control servers weren’t used
in South Korea but were used in North Korea. The researchers also
found a North Korean IP address in a test log file of some Android
devices that were connected to accounts used to spread the malware.
McAfee said the developers didn’t appear to be connected to any
previously known hacking groups. The researchers named the group Sun
Team after finding a deleted folder called “sun Team Folder.”

… The company, LocationSmart, is a data
aggregator and claims to have
"direct connections" to cell carriers to obtain
locations from nearby cell towers. The site had its
own "try-before-you-buy" page that lets you test the
accuracy of its data. The page required
explicit consent from the user before their location data can be
used by sending a one-time text message to the user. When we tried
with a colleague, we tracked his phone to a city block of his actual
location.

But that website had a bug that allowed anyone to
track someone's location silently without their permission.

"Due to a very elementary bug in the website,
you can just skip that consent part and go straight to the location,"
said Robert Xiao, a PhD student at the Human-Computer Interaction
Institute at Carnegie Mellon University, in a phone call.

"The implication of this is that
LocationSmart never required consent in the first place," he
said. "There seems to be no security oversight here."

The
U.S. Department of Homeland Security (DHS) this week published its
long-delayed Cybersecurity Strategy. It had been mandated by
Congress to deliver a strategy by March 2017, and did so on May 15,
2018.

The
strategy is defined in a high-level document (PDF)
of 35 pages. Its scope is to provide "the Department with a
framework to execute our cybersecurity responsibilities during the
next five years to keep pace with the evolving cyber risk landscape
by reducing vulnerabilities and building resilience; countering
malicious actors in cyberspace; responding to incidents; and making
the cyber ecosystem more secure and resilient."

… Of
necessity, however, the five pillars and seven goals are defined in
very basic terms. They define objectives, sub-objectives and
outcomes – but with little on methods. For example, goal #1 (the
risk identification pillar) is to assess evolving cybersecurity
risks. This will be achieved by working with "stakeholders,
including sector-specific agencies, nonfederal cybersecurity firms,
and other federal and nonfederal entities, to gain an adequate
understanding of the national cybersecurity risk posture, analyze
evolving interdependencies and systemic risk, and assess changing
techniques of malicious actors."

However,
nobody was able to predict, detect or prevent Russian meddling in the
2016 presidential election, nor the WannaCry and NotPetya outbreaks.
The implication is that something new and beyond just increased
interagency cooperation needs to be done to achieve genuine risk
identification.

A couple of years ago, Alphabet’s X “moonshot
factory” conjured up a concept that describes how total and
absolute data collection could be used to shape the decisions you
make. And now a video about that concept has leaked online.

The video was obtained and published
on Thursday by The Verge. It describes a so-called “Selfish
Ledger” that would collect all of your data, including actions you
make on your phone, preference settings, and decisions you make, and
not just keep it there for future evaluation. Instead, the ledger,
which would be designed and managed by Google, would interpret that
information and guide you down a path towards reaching a goal, or on
a broader scale, doing your part to help solve poverty or other
societal problems.

What
if an architecture emerges that permits constant monitoring; an
architecture that facilitates the constant tracking of behavior and
movement. What if an architecture emerged that would costlessly
collect data about individuals, about their behavior, about who they
wanted to become. And what if the architecture could do that
invisibly, without interfering with an individual’s daily life at
all? … This architecture is the world that the net is becoming.
This is the picture of control it is growing into. As in real space,
we will have passports in cyberspace. As in real space, these
passports can be used to track our behavior. But in cyberspace,
unlike real space, this monitoring, this tracking, this control of
behavior, will all be much less expensive. This control will occur
in the background, effectively and invisibly. -Lawrence Lessig, “The
Laws of Cyberspace,” 1998

DNA Data
From 100 Crime Scenes Has Been Uploaded To A Genealogy Website —
Just Like The Golden State Killer

The remarkable sleuthing method that tracked down
the Golden State Killer was not a one-off. A company in Virginia is
now working with several law enforcement agencies to solve cases
using the same “genetic genealogy” approach that led
investigators in California to arrest Joseph
James DeAngelo.

The company, Parabon NanoLabs, has already loaded
DNA data from about 100 crime scenes into a public genealogy database
called GEDmatch.
And in about 20 of these cases, the company says, it has found
matches with people estimated
to be the suspect’s third cousins or even closer relatives.

“We were actually pretty surprised,” Ellen
Greytak, Parabon’s director of bioinformatics, told BuzzFeed News.
With those known genetic connections, she said, investigators have a
good chance of using genealogical research to draw family trees and
identify possible suspects. Some arrests could come quickly, she
suggested. “I think
there is going to be press around this very soon.”

… At Microsoft, Horvitz helped establish an
internal ethics board in 2016 to help the company navigate
potentially tricky spots with its own AI technology. The group is
cosponsored by Microsoft’s president and most senior lawyer, Brad
Smith. It has prompted the company to refuse business from corporate
customers, and to attach conditions to some deals limiting the use of
its technology.

Horvitz declined to provide details of those
incidents, saying only that they typically involved companies asking
Microsoft to build custom AI projects. The group has also trained
Microsoft sales teams on applications of AI the company is wary of.

Google … promised that it would require a new,
hyperrealistic form of its voice assistant to identify itself as a
bot when speaking with humans on the phone. The pledge came two days
after CEO Sundar Pichai played impressive—and
to some troubling—audio clips in which the experimental
software made restaurant reservations with unsuspecting staff.

… Axios asked Google for the name of the hair
salon or restaurant, in order to verify both that the businesses
exist and that the calls were not pre-planned. We also said that
we'd guarantee, in writing, not to publicly identify either
establishment (so as to prevent them from receiving unwanted
attention).

A longtime Google spokeswoman declined to provide
either name.

We also asked if either call was edited, even
perhaps just cutting the second or two when the business identifies
itself. And, if so, were there other edits? The spokeswoman
declined comment, but said she'd check and get back to us. She
didn't.

… since politicians are known for boring,
repetitive, long-winded speeches, what could be a better political
platform than one that literally forbids using more than 280
characters at a time? Twitter seems good for Trump, too: As his
allies
often say, it gives the president a way to speak directly to the
American electorate, getting around the media’s filter. Trump’s
Twitter account is followed by 52
million people, not that far off from the nearly 63
million who voted for him in 2016.

But some data released this week should give Trump
and his supporters pause about the power of his Twitter account in
directly reaching American voters — and push the media to think
carefully about its coverage of Trump’s tweets. Only 8 percent of
U.S. adults say they follow Trump’s Twitter account
(@realDonaldTrump),
and only 4 percent say they follow his account and regularly read the
president’s tweets, according to a new
Gallup poll.

Via LLRX.com
– 2018
New Economy Resources and Tools – This guide by Marcus
Zillman provides researchers in multiple disciplines – law,
economists, academia, government, corporate, and journalism – the
latest, most reliable web resources for discovering sources to meet
the multifaceted needs of time sensitive, specific, actionable work
product. The global economic landscape is rapidly changing as
transparency, big data and the ability to access data from new and
now accessible databases are increasingly available through portals
and sites around the world. Understanding how to locate and leverage
new economy analytics, resources and alerts will provide you with
keep tools and techniques to expand access to requisite knowledge
that you can apply daily in your work place.

Thursday, May 17, 2018

Last week, Motherboard
reported that a vigilante hacker had stolen data from a hacking
group that researchers say is a government-linked cyberespionage
unit. The data included GPS locations, text messages, and phone
calls that the group had taken from their own victims. Now, that
hacker has seemingly published the stolen data online for anyone to
download.

Digital
Free for All Part Deux: European Commission Proposal on E-Evidence

The European Commission has released a proposal to
enable EU-member states’ law enforcement authorities to access
digital information regardless of where that data is stored. It
shares several of the practical and human rights problems as the
similar piece of U.S. legislation known as the CLOUD
Act, as well raising fresh concerns of its own.

The proposal, labelled “E-evidence
– cross-border access to electronic evidence” is now heading
to the European Parliament and Council for debate. The EU
institutions should review this measure closely before amplifying the
errors of the CLOUD Act and raising new problems for cross-border
access to electronic evidence. Left unchanged, the Commission
proposal will make a difficult situation worse.

What
Does the Proposal Mean for Digital Rights?

There will be a lot to debate in the Commission’s
proposal as it winds through the EU legislative process. However,
two initial areas of concern should be addressed swiftly by EU
institutions. First is the fact that this proposal could usher in
paradigm shift in the system cross-border access to data in criminal
investigations, risking a digital free for all and eliminating
critical junctures for judicial review of law enforcement requests
for data. The second concern centers around the proposal’s failure
to adequately safeguard human rights. We at EPIC pointed to
precisely these risks in our amicus
brief in the now mooted United States v. Microsoft case
concerning U.S. law enforcement access to data stored in Ireland.

Not quite tossing the baby with the bathwater, but
then this is only one example.

… As
security professionals, next week we can expect to see another
example of an unintended consequence when the General
Data Protection Regulations (GDPR) goes into effect. There are
actually a few unintended consequences from these new regulations,
but one of the most concerning is the upcoming response that domain
registrars are discussing through the global body the Internet
Corporation for Assigned Names and Numbers (ICANN). As the name
suggests, ICANN is responsible for maintaining the rules for WHOIS
data – essentially, a telephone directory-like structure that
contains detailed information on who signed up for a specific
Internet domain, including their name, address, email address and
telephone number. Such data is subject to the GDPR’s privacy
requirements for protection. As a result, under current proposals,
many of the businesses that register domains will remove key elements
of information from the system. In
effect, on May 25 the system will “go dark” until alternative
preparations are made, which ICANN representatives expect won’t
start being implemented until December 2018.

… Without
access to this critical resource, combatting criminal behavior on the
Internet becomes much more difficult. To make matters worse, during
the intervening months before an alternative solution for
GDPR-compliant access is available, attackers will be able to exploit
this new-found anonymity to their advantage. We may see an uptick in
spam and, more generally, in criminal activity. As we alter our
methods for data handling, we could be exposing the very individuals
we are striving to protect, to additional risk.

Jigsaw,
an incubator run by Google parent Alphabet, this week announced the
availability of Project Shield – which offers free distributed
denial of service (DDoS) protections – for the U.S. political
community.

… In
March last year, Google and Jigsaw announced a partnership to
offer Protect Your Election,
tools that would help news organizations, human rights groups, and
election monitoring sites fend off not only DDoS assaults, but also
phishing and account takeover attempts.

This
week, Jigsaw revealedthat
Project Shield is now available for free to “U.S. political
organizations registered with the appropriate electoral authorities,
including candidates, campaigns, section 527 organizations, and
political action committees.”

Is the system smart enough to recognize that the
plate does not match the car?

Law
enforcement can identify your vehicle by make, model, year, color,
features via new software

News
release: “Leonardo’s ELSAG ALPR solutions are used by nearly
4,000 customers in over 25 countries by local, state, and federal law
enforcement agencies. Leonardo will introduce two new Automatic
License Plate Recognition (ALPR) solutions at the 2018 IACP
Technology Conference on May 21-23 in Providence, Rhode Island. The
ELSAG MTC and ECSS will be on display during the conference… After
years of research and development, Leonardo is proud to introduce
Make, Type and Color Recognition feature called ELSAG MTC to their
ELSAG Enterprise Operation Center (EOC). Using advanced computer
vision software, ELSAG ALPR data can now be processed to
include the vehicle’s make, type – sedan, SUV, hatchback, pickup,
minivan, van, box truck – and general colour – red, blue, green,
white and yellow. The solution actively recognizes the 34 most
common vehicle brands on U.S. roads.” [emphasis added]

Ovum:
“Globally, the native digital assistant installed base is set to
exceed 7.5 billion active devices by 2021, which is more than the
world population according to the US Census Bureau on May 1, 2017.
But fear not – Skynet, from the popular Terminator movies, does not
feature among the leading digital assistants. Instead, Google
Assistant will dominate the voice AI–capable device market with
23.3% market share, followed by Samsung’s Bixby (14.5%), Apple’s
Siri (13.1%), Amazon’s Alexa (3.9%), and Microsoft’s Cortana
(2.3%). Ovum’s Digital Assistant and Voice AI–Capable Device
Forecast: 2016–21 found that smartphones and tablets clearly
lead the voice AI–capable device market, with 3.5 billion active
devices in 2016, most of which use Google Now and Apple Siri.
However, the use of AI in conjunction with other devices greatly
increases consumer engagement and is set to unlock new opportunities,
particularly in the home. Ovum expects an exponential uptake of
voice AI capabilities among new devices, including wearable, smart
home, and TV devices, with a combined installed base of 1.63 billion
active devices in 2021, a tenfold increase on 2016. Despite all the
hype that surrounds AI-capable connected speakers, TV devices (i.e.
smart TVs, set-top boxes, and media streamers) offer a larger
opportunity, accounting for 57% of that installed base in 2021…”

(Related). If Alexa starts talking to itself in
eight voices, can it order itself to ‘kill the humans?’

Alexa
developers get 8 free voices to use in skills, courtesy of Amazon
Polly

Now Alexa’s voice apps don’t have to sound
like Alexa. Amazon today is offering a way for developers to give
their voice apps a unique character with the
launch of eight free voices to use in skills, courtesy of the
Amazon Polly service. The voices are only available in U.S. English,
and include a mix of both male and female, according to Amazon
Polly’s website.

… To use an Amazon Polly voice instead,
developers would use Structured Speech Markup Language (SSML) and
then specify which voice they want with the “voice name” tag.
This makes it easier to adjust what is said, as developers could just
change the text instead of having to re-record an mp3.

A Japanese rail company has apologised for one of
its trains leaving a station 25 seconds early, terming the incident
as a great inconvenience placed upon customers which was truly
inexcusable. What is more concerning to the Japanese, is that, in
the past months, this is not the first time this has happened with
West Japan Railways, also known as JR West. In November, a train
left 20 seconds early. The train pulled away from the Notogawa
Station platform at the 35th second of 7:11a.m. instead of the
scheduled 7:12a.m. after the conductor allegedly saw nobody on the
platform and figured that nobody would be affected by the 25 second
difference. However, one of the stranded passengers escalated their
complaint to the HeadQuarters.

… Trump signed an executive order rearranging
the federal information technology infrastructure that includes no
mention of the White House cybersecurity coordinator or of a
replacement for Rob Joyce, who said last month that he is leaving the
position to return to the National Security Agency, where he
previously directed cyber-defense programs.

… Politico
first reported the elimination of the job on Tuesday. The White
House and the National Security Council didn't reply to requests for
comment about the decision, which came on the same day a major
computer security report again found government systems to be the
least secure among all industries.

(Related) Does the President think this is an
adequate replacement? Remove high level strategy, let every CIO do
his own thing?

… In December, the White House said the
government required a major overhaul of its information technology
systems as well as needing to protect data better and accelerate
moves toward using cloud-based technology.

The order on Tuesday seeks to address some of
those issues by giving agency CIOs authority similar to that of their
counterparts in the private sector, making it easier to attract
high-level talent for government technology jobs, one official said.

The
Outline: “Facebook’s January
12 announcement that it would begin to deprioritize news in
users’ News Feed left publishers shaking in their boots. “[B]y
making these changes, I expect the time people spend on Facebook and
some measures of engagement will go down,” admitted Mark
Zuckerberg, much to the horror of every major media outlet, most of
which relied heavily on the traffic generated from the site. And for
a while, it truly did look like the apocalypse was nigh: The
Outline’s investigation from early March showed that
traffic for most conservative publishers and nearly all publishers of
viral and needlessly polarizing content experienced a significant
drop in the month following the News Feed change. In the wake of
Newswhip’s
recent analysis of top publishers’ Facebook engagement data
over March and April, many
have come to the similar conclusions of partisan bias (though the
winners and losers often switch, depending on who’s talking).
However, new information that takes into account the last four months
as a whole — rather than merely looking at month-to-month trends —
tells a much different story. According to data
The Outline
obtained from research tool CrowdTangle, a subsidiary of Facebook,
Facebook’s January news feed algorithm change has had little to no
effect on mainstream conservative and liberal publishers in the long
run, with most actually experiencing increased interaction rates
following February. However, publishers of clickbait, purposefully
polarizing content, and/or blatantly fake news have experienced a
significant sustained drop in interaction in the months following
Facebook’s January News Feed deprioritization announcement. The
Outline came to these conclusions after analyzing the Facebook
interaction rates of 20 publishers from November 1, 2017 to April 20,
2018. CrowdTangle calculates a particular Facebook page’s
interaction rate by dividing the average number of interactions (i.e.
likes, comments, shares, etc) in a given time period by the size of
the account…”

Twitter:
“In March, we introduced our
new approach to improve the health of the public conversation on
Twitter. One important issue we’ve been working to address is what
some might refer to as “trolls.” Some troll-like behavior is
fun, good and humorous. What we’re talking about today are
troll-like behaviors that distort and detract from the public
conversation on Twitter, particularly in communal areas like
conversations and search. Some of these accounts and Tweets violate
our policies, and, in those cases, we take action on them. Others
don’t but are behaving in ways that distort the conversation. To
put this in context, less than 1% of accounts make up the majority of
accounts reported for abuse, but a
lot of what’s reported does not violate our rules.
While still a small overall number, these accounts have a
disproportionately large – and negative – impact on people’s
experience on Twitter. The challenge for us has been: how can we
proactively address these disruptive behaviors that do not violate
our policies but negatively impact the health of the conversation? A
New Approach – Today, we use policies, human review
processes, and machine learning to help us determine how Tweets are
organized and presented in communal places like conversations and
search. Now, we’re tackling issues of behaviors that distort and
detract from the public conversation in those areas by integrating
new behavioral signals into how Tweets are presented. By using new
tools to address this conduct from a behavioral perspective, we’re
able to improve the health of the conversation, and everyone’s
experience on Twitter, without waiting for people who use Twitter to
report potential issues to us…”

If you’re not an Amazon
Prime subscriber but love Whole Foods, which is also an Amazon
property, you should check out the retailer’s brand new promotion
that’s targeting Whole Foods shoppers.

Amazon is ready to give you 10% off Whole Foods
purchases at already discounted prices, and cut prices on other Whole
Foods products each week.

Vice president of Amazon Prime Cem Sibay told The
Wall Street Journal that this week’s deals will be
available immediately in Florida stores and roll out to more than 460
stores nationwide this summer.

Cloud computing companies are enjoying marked
growth, and it's no surprise: the cloud
computing market shows no signs of slowing down its own
considerable growth. Forrester Research estimates the total global
public
cloud market will be $178 billion in 2018, up from $146 billion
in 2017, and will continue to grow at a compound annual growth rate
(CAGR) of 22%.

… So in our list of the 50 leading cloud
computing companies, you will see big names that have been around for
decades right along new entries.

The National Guard troops standing watch along the
United States’ southwest border may find themselves curious to know
what great mysteries lay beyond the muddy waters of the Rio Grande…
but alas, federal law forbids them from using their state-of-the-art
surveillance equipment to find out.

While the roughly 800
guardsmen holding the line in Texas, New Mexico, and Arizona are
permitted to use their naked eyes to peer across the divide, the
legal basis for President Donald Trump’s National Guard deployment
prohibits the troops from peeping southward through a pair of
binoculars — or any other piece of technology that makes things
appear closer than they actually are.

… Title 32
provides that the National Guard can operate “up to” the United
States-Mexico border, but that’s it. No peeking across!

… In
addition to the surveillance restrictions, the troops are also
prohibited from apprehending people or having any physical contact
with migrants. Those duties are left to the Border Patrol, which is
not shackled by the
Posse Comitatus Act of 1878, the post-Civil War statute that
limits military involvement in civilian law enforcement.

Tuesday, May 15, 2018

Hackers
have stolen an unknown amount of money from banks in Mexico in a
series of cyber attacks on the country's interbank payments system,
an official said Monday.

At
least five attacks on the Mexican central bank's Interbank Electronic
Payments System (SPEI) were carried out in April and May, said
Lorenza Martinez, director general of the corporate payments and
services system at the central bank.

"Some
transactions were introduced that were not recognized by the issuing
bank," she told Radio Centro.

"In
some cases these transfers made it through to the destination bank
and were withdrawn in cash."

… Some
Mexican media outlets have put the amount stolen at 400 million pesos
($20.4 million), but Martinez denied those reports.

"The
amount is currently being analyzed . Some of the transfers were
stopped, and the funds are currently being returned," she said.

She
said the money stolen belonged to the banks themselves and that
clients' funds were never affected.

The
interbank payments system allows banks to make real-time transfers to
each other.

They
connect via their own computer systems or an external provider –
the point where the attacks appear to have taken place, Martinez
said.

After
the attacks were detected, banks switched to a slower but more secure
method.

A follow-up to yesterday with a bit more detail.
Still looks like the actual algorithms are sound, but the process
that integrates it into email is flawed.

EFF:
“…you should stop
using PGP for encrypted email and switch to a different secure
communications method for now. A group of researchers
released a paper today that describes a new class of serious
vulnerabilities in PGP (including GPG), the most popular email
encryption standard. The new paper includes a proof-of-concept
exploit that can allow an attacker to use
the victim’s own email client to decrypt previously
acquired messages and return the decrypted content to the attacker
without alerting the victim. The proof of concept is only one
implementation of this new type of attack, and variants may follow in
the coming days. Because of the straightforward nature of the proof
of concept, the severity of these security vulnerabilities, the range
of email clients and plugins affected, and the high level of
protection that PGP users need and expect, EFF is advising PGP users
to pause in their use of the tool and seek other modes of secure
end-to-end communication for now. Because we are awaiting the
response from the security community of the flaws highlighted in the
paper, we recommend that for now you uninstall or disable your PGP
email plug-in. These steps are intended as a temporary, conservative
stopgap until the immediate risk of the exploit has passed and been
mitigated against by the wider community. There may be simpler
mitigations available soon, as vendors and commentators develop
narrower solutions, but this is the safest stance to take for now.
Because sending PGP-encrypted emails to an unpatched client will
create adverse ecosystem incentives to open incoming emails, any of
which could be maliciously crafted to expose ciphertext to
attackers…”

Should home owners be allowed to share video with
police? If not, why not?

… Mr. Bhat, a B.J.P. youth leader, said he
used WhatsApp to stay in constant touch with the 60 voters he was
assigned to track for the
party. He sent them critiques of the state government,
dark warnings about Hindus being murdered by Muslims — including a
debunked B.J.P. claim that 23 activists were killed by jihadists —
and jokes ridiculing Congress leaders. His own WhatsApp stream was
full of election updates, pro-B.J.P. videos, and false news stories,
including a fake poll purportedly
commissioned by the BBC that predicted a sweeping B.J.P. win.

… Facebook’s WhatsApp is taking an
increasingly central role in elections, especially in developing
countries. More than any other social media or messaging app,
WhatsApp was used in recent months by India’s political parties,
religious activists and others to send messages and distribute news
to Karnataka’s 49 million voters. While many messages were
ordinary campaign missives, some were intended to inflame sectarian
tensions and others were downright false, with no way to trace where
they originated.

Facebook took moderation action against almost
1.5bn accounts and posts which violated its community standards in
the first three months of 2018, the company has revealed.

In its first quarterly Community Standards
Enforcement Report, Facebook said the overwhelming majority of
moderation action was against spam posts and fake accounts: it took
action on 837m pieces of spam, and shut down a further 583m fake
accounts on the site in the three months. But Facebook also
moderated 2.5m pieces of hate speech, 1.9m pieces of terrorist
propaganda, 3.4m pieces of graphic violence and 21m pieces of content
featuring adult nudity and sexual activity.

Moscow-based Kaspersky Lab plans to open a data
center in Switzerland by the end of next year to help address Western
government concerns that Russia exploits its anti-virus software to
spy on customers.

… Kaspersky Lab said part of the new facility
would be based in Zurich, and the company had chosen Switzerland for
its “policy of neutrality” and strong data protection laws.

The United Nations campaign entitled #AI4good
highlights positive ways artificial intelligence (AI) can be used for
the good of humanity. The #AI4Good
Summit in Geneva this week highlights many ways AI can have
positive uses – both now and in the future. From the agenda, some
areas of positive applications of AI include medicine, education,
economic, and law enforcement applications.

An electrified road in Sweden that is the first in
the world to charge vehicles as they drive along is showing promise
and could potentially help cut the high cost of electric cars,
project backers Vattenfall and Elways told Reuters.

The state-funded project, named eRoadArlanda and
costing about 50 million crowns ($5.82 million), uses a
modified electric
truck that moves cargo from Stockholm’s Arlanda airport to
Postnord’s nearby logistics hub to test the technology.

A electrified rail embedded in the tarmac of the
2-km-long (1.24 miles) road charges the truck automatically as
it travels above it. A movable arm attached to the truck detects the
rail’s location in the road, and charging stops when the vehicle is
overtaking or coming to a halt.

The system also calculates the vehicle’s energy
consumption, which enables electricity costs to be debited per
vehicle and user.

Elways’ chief executive Gunnar Asplund said the
charging while driving would mean electric cars no longer need big
batteries — which can be half the cost of an electric car — to
ensure they have enough power to travel a useful distance.

Perspective. Facebook is unlikely to collapse,
but I expect it to try new methods of revenue generation. Perhaps
add-free subscriptions? (What is the average Facebook user worth as
an Ad recipient?)

… Didi is getting its permit just weeks after
California introduced new rules around self-driving permits, the
brunt of which focused on completely
driverless vehicles. A total of 53
companies were part of this new permit batch, though many
of them are no strangers to the technology.

… In the medium term, Walmart may be able to
do some smart moves with Flipkart. I am sure it has built these
factors into its valuation — and if it has not, it should have.
Walmart and Flipkart will have better bargaining power with suppliers
(imagine the global might of both U.S. and India volumes while
negotiating rates with Chinese suppliers). Walmart could also apply
its e-commerce lessons from Flipkart and implement them in the U.S
and other global plays (Jet.com, etc). I imagine this would have a
much greater bearing on Walmart’s thinking than a pure India play.
After all, few companies globally have been able to withstand
Amazon’s onslaught, as Walmart knows from previous experience.
Walmart’s sourcing might, combined with Flipkart’s e-commerce
prowess, can and should be a global play, not just an India play.

Consumer Cellular has spent years carving out a
lucrative niche in the wireless industry: selling mobile phones to
senior citizens.

Now the closely held Portland company looks to
apply that formula to tablets and smart-home equipment. The idea is
to offer technology that’s simpler to use, both for non-savvy
consumers and those who are physically challenged.

The company’s expansion begins this month with
the addition of the GrandPad to its lineup. The touch-screen tablet
was designed for older customers — people who may be intimidated by
an iPad. The interface lets users hold video chats with family
members, view photos or check up on news.

Monday, May 14, 2018

Oh wow, this could be bad! And I just recommended
PGP to my students. I wonder if it’s the plug-in and not the
actual encryption packages? Either way, I’m glad I taught my
students to build their own encryption system.

Throughout the many arguments over encrypted
communications, there has been at least one
constant: the venerable tools for strong email encryption are
trustworthy. That may no longer be true.

On Tuesday, well-credentialed cybersecurity
researchers will detail what they call critical vulnerabilities in
widely-used tools for applying PGP/GPG and S/MIME encryption.
According to Sebastian Schinzel, a professor at the Münster
University of Applied Sciences in Germany, the flaws could reveal the
“plaintext” that email encryption is supposed to cover up—in
both current and old emails.

The researchers are advising everyone to
temporarily stop using plugins for mail clients like Microsoft
Outlook and Apple
Mail that automatically encrypt and decrypt emails—at least until
someone figures out how to remedy the situation. Instead, experts
say, people should switch to tools like Signal, the encrypted
messaging app that’s bankrolled
by WhatsApp co-founder Brian Acton.

When contacted by Fortune, Schinzel
declined to divulge further details ahead of Tuesday’s
announcement, but he pointed to a blog
post from the world’s biggest digital rights
group, the Electronic Frontier Foundation (EFF,) for further advice.

Ransomware
has infected the servers of the Riverside
Fire and Police department
for the second time in a month.

The
first
ransomware infectiontook
place on April 23, last month and encrypted ten months worth of work
data related to active investigations.

Officials said they didn’t pay the
ransom and were able to recover some of the data from previous
backups. Other data they recovered from public court records, but to
this day, the Riverside Fire and Police department have not fully
recovered from the first attack.

The
second infection took place last week, May 4, but only came to light
today when US Secret Service agents arrived in the Ohio town to help
with the investigation.

This
time around officials
appear to have learned their lesson and were actively
making backups on a daily basis. Officials said the second
ransomware infection only locked up data for the last eight hours of
work, and the department fully recovered after the second attack.

"Everything
was backed-up, but we lost about eight hours worth of information we
have to re-enter," City Manager Mark Carpenter told
local media.
"It was our police and fire records, so we just re-enter the
reports."

… This
is not the first ransomware infection that hit a police department
and has wiped data on investigations. Police in Cockrell Hill, Texas
suffered a similar incident in January 2017 when they lost
nearly eight years worth of evidence.

With
recent data breaches and the associated flood of PII onto the dark
web, synthetic identity fraud
is easier to commit than ever. Credit card losses due to this fraud
exceeded $800 million in the U.S. last year, says Julie Conroy, a
research director at Aite Group. Perhaps more shocking is just how
much of the fraud is going undetected, flying under the radar as
credit write-offs.

"One of the challenging aspects of this is
often it doesn't get recognized as fraud and gets written off as a
credit loss; so understanding the scope of the problem has been a
challenge," Conroy says in an interview with Information
Security Media Group about Aite's latest research. "A number of
institutions are starting to see fundamental shifts to things like
their credit delinquency curves that are only explainable by
synthetic identity fraud."

A type of fraud in which a criminal combines real
(usually stolen) and fake information to create a new identity, which
is used to open fraudulent accounts and make fraudulent purchases.
Synthetic identity
theft allows the criminal to steal money from any credit
card companies or lenders
who extend credit based on the fake identity.

Data from millions of Facebook users who
used a popular personality app, including their answers to intimate
questionnaires, was left exposed online for anyone to access, a New
Scientist investigation has found.

Academics
at the University of Cambridge distributed the data from
the personality quiz app myPersonality to hundreds of
researchers via a website with insufficient security provisions,
which led to it being left vulnerable
to access for four years. Gaining access illicitly was
relatively easy.

The data was highly sensitive, revealing
personal details of Facebook users, such as the results of
psychological tests. It was meant to be stored and shared
anonymously, however such poor precautions were taken that
deanonymising would not be hard.

When
governments censor websites and block messaging apps like Telegram,
here's where to turn for proof

In Iran, use of the messaging app Telegram has
officially been banned.

For some 40 million Iranians, Telegram has been an
integral part of daily life, a place to talk with friends and family
beyond the reach of government censors. Which is why, after
anti-government protests broke out in the final days of 2017, the
government instructed the country's internet service providers to
implement temporary controls that
would make Telegram harder to use — before outright
banning its use this month.

Anecdotal reports are one thing. But to
understand how, exactly, Telegram was being blocked — and to what
extent in different parts of the country — researcher Mahsa
Alimardani turned to technical data gathered by a watchdog group
called the Open Observatory of
Network Interference, or OONI.

… All of the data collected by OONI's
measurement software — called probes — is stored in
a publicly accessible database, where anyone can go to understand
what's being blocked, filtered, or throttled in a particular country,
and how. That data can be used to track the evolution of information
controls over time or link censorship with political events like
elections and protests.

Provide closer
linkage and communication between the risk management processes and
activities at the C-suite or governance level of the organization
and the individuals, processes, and activities at the system and
operational level of the organization;

Institutionalize
critical organization-wide risk management preparatory activities to
facilitate a more effective, efficient, and cost-effective execution
of the RMF;

Demonstrate how
the Cybersecurity Framework can be aligned with the RMF and
implemented using established NIST risk management processes;

Integrate
privacy risk management concepts and principles into the RMF and
support the use of the consolidated security and privacy control
catalog in NIST Special Publication 800-53 Revision 5;

Promote the
development of trustworthy secure software and systems by aligning
life cycle-based systems engineering processes in NIST Special
Publication 800-160 with the steps in the RMF;

Integrate supply
chain risk management (SCRM) concepts into the RMF to protect
against untrustworthy suppliers, insertion of counterfeits,
tampering, unauthorized production, theft, insertion of malicious
code, and poor manufacturing and development practices throughout
the SDLC; and

Provide an alternative
organization-generated control selection approach to complement the
traditional baseline control selection approach…”

Platform business models are booming—becoming
bigger and more powerful than ever. Just consider that a few tweets
from the president caused Amazon’s market capitalization to fall by
about $40 billion, or that Russian influencers were able to reach 126
million people through Facebook. At OpenMatters, we spend a lot of
time studying network
orchestration—business models where companies facilitate
relationships and interactions, rather than serving up all the
products, services, and pieces of content themselves. Think
Facebook, Uber, Pinterest, Alibaba, Airbnb, and the myriad “unicorns”
that are being showered in investor dollars. These companies are
groundbreaking, leveraging networks effects and near-zero
scaling cost to trounce competition or define new markets.
However, not all platform plays work—the business model alone
isn’t sufficient for success. There are lots of things that can
make a platform succeed or fail, of course, but an increasingly
central aspect of a successful platform strategy is machine learning.

… What happened is pretty clear: people got
tired of sorting through hundreds of unqualified applicants for every
job opening. The pile of resumes was too large, and the simple
algorithms attempting to serve up relevant content were insufficient
for the size and varied needs of the user base. Then, better
solutions emerged. Companies like LinkedIn and Glassdoor began
filling the gap—standing out by better curating professional
networks. Craigslist is another great example of an early platform
company that failed to innovate and curate, and is quickly
losing market share to added-value platforms like OfferUp or even
Facebook Marketplace.

… In addition to using machine learning to
parse and understand data generated by a network, platform companies
are now seeing the importance of AI for detecting and preventing
misuse. Fraudulent, criminal, and abusive behaviors are a problem
for many networks and companies are realizing that they can no longer
wash their hands of the actions of their users. Twitter has had to
take steps to curb
abuse, Yelp and LinkedIn are working on filtering out fake
content, and Facebook is likely at the beginning of a long journey to
prevent misuse following the Russian influencing scandal. These
platforms are simply too big and too complicated for manual or
human-led solutions to uncover and thwart misuse. Machine learning
and artificial intelligence are the only way to manage the content at
scale and as it evolves.

Russia Just
Showed Off Its New Robot Tank — And Confirmed It Was On The Ground
In Syria

Russia has been on the forefront of building
unmanned ground vehicles and last week the
Russian Defense Ministry confirmed that their armed drone tank
Uran-9 was tested in Syria.

The Uran-9 is powerfully armed with anti-tank
missiles, an automatic cannon, and a machine gun. It can also be
reconfigured to carry different weapons like surface-to-air missiles.
Additionally, the unmanned vehicle is equipped with advanced optics
and targeting systems including a laser warning system and thermal
imaging.

… Since its Syrian intervention in 2015, the
resurgent Russian military has battle tested an arsenal of new
weapons including the Su-57 stealth fighter jet, the T-90 battle
tank, ship-launched cruise missiles and air defense systems.

… In the case of the Uran-9, it is remotely
controlled by an individual from a mobile vehicle that must remain
within 1.8 miles. The automatic turret is able to detect and acquire
targets, but the ultimate decision to fire rests with the controller.

Links

About Me

I live in Centennial Colorado. (I'm not actually 100 years old., but I hope to be some day.) I'm an independant computer consultant, specializing in solving problems that traditional IT personnel tend to have difficulty with... That includes everything from inventorying hardware & software, to converting systems & data, to training end-users. I particularly enjoy taking on projects that IT has attempted several times before with no success. I also teach at two local Universities: everything from Introduction to Microcomputers through Business Continuity and Security Management. My background includes IT Audit, Computer Security, and a variety of unique IT projects.